Asa 8.x using Trunking and Vlans to get more ports

Unanswered Question
Jun 3rd, 2008

I have been searching CCO to find a config guide that shows how to setup an ASA running 7.2 or 8.x trunking to a L3 switch. Getting an 5510 and I need 7 interfaces, so I am two short. I will be getting the Security Plus so I can do failover.

Where is this config guide, does it exist? I see one for the 5505, but that isn't the 5510. thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Tue, 06/03/2008 - 12:25

Here you go, basic reference 802.1q and subinterfaces

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html

If you need fruther assistance let me know to help you with a basic script but it is very stright forward, creating your subinterfaces with appropriate sec levels if they are DMZs , there is not trunking specific command in ASA, once you create subinterfaces and physically connect the ASA interface to your switch trunk thats prety much it, create your trunk on the switch and allow the vlans you want.

You may use this thread as reference.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cbf5ff2/0#selected_message

Bst Rgds

-Jorge

dmooreami Tue, 06/03/2008 - 12:51

Ok, I have read that before. It looks like to me I can use both the physical ports as before and Trunking/VLAN features.

What I need is this.

1)Use the physical NameIf itnerfaces on ASA for inside/outside/dmz1/failover. I realize that that will require setting up the Mgt interface as a "real interface" and not mgt interface. There is a tech note on doing that

2)Use the 5th port on the ASA with VLAN/Trunking to support Dmz2/Extranet interfaces via the 6500 switch.

There is still no example as to what the finished ASA config looks like here on the cisco site.

Typically cisco will have a config guide with diagrams, device configs and traffic flows.

Is this some hidden feature that Cisco doesn't want users to know about so they will purchase the 4port GigE card for the ASA that costs more than the 5510 itself? :)

JORGE RODRIGUEZ Tue, 06/03/2008 - 16:42

Doug,

for number 1) and 2)

For above requirements do each requires to have its own physical interface? if so then you are leting pass trunking feature asa 7.x and above provides you could accomplish inside/outside/dmz1 off one interface with trunking. Use the management interface if you get security plus license and make it a routed port and do your failover using that physical interface.

in above scenarion you will have used two physical ports and still have three physical ports left.

now if you need physical interfaces you could do one interface for inside one for outside

use mgt interface for failover,you still have two physical interfaces left,use one of these two for DMZ1/DMZ2 and/or any extranet interfaces needed using 802.1q.

Is this some hidden feature that Cisco doesn't want users to know about so they will purchase the 4port GigE card for the ASA that costs more than the 5510 itself? :)

no hidden features Im aware of, simply it comes down to using 802.1q trunking and subinterfaces, remember with sec plus you have up to 100 Virtual interfaces for the entire asa5510 unit and all be able to use nameif

Rgds

-Jorge

PLS rate any helpful post if it helped

Actions

This Discussion